28 Apr
2012
28 Apr
'12
3:28 p.m.
Rubens Kuhl (rubensk) writes:
In case you feel a BGP announcement should not be "RPKI Invalid" but something else, you do what's described on slide 15-17:
https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
The same currently happens with DNSSEC, doing what Comcast calls "negative trust anchors": http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01
Yes, NTAs was the comparison that came to my mind as well. Or even in classic DNS, overriding with stubs. You will get bitten by a bogus/ flawed ROA, but you'll have to the chance to mitigate it. Any kind of centralized mechanism like this is subject to these risks, no matter what the distribution mechanism is.